ВОЛНА A — Расширенная база данных:
- Новый файл _periodic_data.js (~70 KB): PERIODIC_EXT_DATA + ISOTOPES + SPECTRA
- 30 элементов полностью (H..Au): радиусы, ионизация, теплоёмкость, теплопроводность,
кристалл, распространённость, биология, токсичность, пламя, применения, история,
этимология, минералы, типичные реакции
- 9 элементов с минимумом (Sc, Ti, V, As, Se, Kr, Hg, Pb, I)
- 60 изотопов в 20 элементах (включая ¹³¹I, ¹³⁷Cs, ⁶⁰Co, ⁹⁰Sr, ¹⁴C, ³H, U-235/238)
- 43 эмиссионных линий для 8 элементов (H, He, Li, Na, K, Ne, Ar, Hg)
ВОЛНА B — Визуальные режимы:
- Heatmap по 9 свойствам (En, mass, density, melt, boil, discovered + расширенные)
с jet-colormap, lin/log toggle, легендой, анимацией 400ms
- 3D-таблица через Three.js: bar / wave / stack modes, orbit camera, raycaster hover
- Морф между формами таблицы: standard / long (32-col, f-block inline) / short (8-col)
с staggered fade-in 800ms
- Тренды стрелками: радиус / ЭО / ИЕ / металличность с градиентными arrows
ВОЛНА C — Карточка элемента 2.0 (11 табов):
- Обзор (hero 96px символ + Z + категория-бейдж + quick stats)
- Свойства (17-row таблица расширенных параметров)
- Электроника (Bohr + статичная конфигурация)
- Изотопы (список + bar chart + weighted average mass)
- История (timeline + этимология)
- Применения (15 SVG иконок-сфер + текст)
- Биология (badge: macro/micro/trace/toxic/inert/radioactive)
- Минералы (формулы)
- Спектр (rainbow 380-780nm + линии эмиссии)
- Пламя (цвет + название)
- Реакции (типовые уравнения по типу элемента)
- Hero header с цветом типа; smooth fade transitions между табами
ВОЛНА D — Интерактивные режимы:
- Бинарные соединения: drag 2 элемента → формула (NaCl, Fe₂O₃) + тип связи (ΔЭО)
- Сравнить до 4 элементов: side-by-side + min/max highlight + chart
- Ряд активности металлов: 28 элементов от Li до Au, разделитель H
- Таблица Менделеева 1869: 63 элемента + 4 предсказанных (Ga, Sc, Ge, Tc)
с popup «предсказано vs реально»
- Таймлайн открытий 1660-2024 с slider и auto-play
ВОЛНА G — Электронные конфигурации углубление:
- Orbital filling diagram: квадратики с электронами по Хунду/Паули, glow на валентном
- Aufbau diagram с slider Z 1-118 и анимированным указателем порядка заполнения
- Квантовые числа (n, l, m_l, m_s) — hover на электрон → tooltip
- Возбуждение электронов: click на электрон в Bohr → выбор уровня → анимация
перехода с фотоном (цвет ∝ длине волны через ΔE = 13.6 eV × ...)
periodic.js: 750 → 3239 строк. Все 5 волн ADDITIVE — старая база сохранена.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hydrostatics использовал P_SANDBOX как у dynamics — оба показывали одну
и ту же карточку с блоком/шаром и силами. Добавлен P_HYDRO: мензурка
с погруженным телом + F_A, U-образный манометр с Δh, сообщающиеся сосуды.
Геометрия (планиметрия):
- Живые измерения как объекты: длина / угол / площадь — auto-recompute, draggable chips
- Инструмент ГМТ: sweep мовера через параметр, рисует кривую места точек
- Новые типы точек: on_segment (скользит по отрезку, _t), on_circle (по окружности, _theta)
- Toolbar: «Длина», «Угол», «Площадь», «ГМТ», «На отрезке», «На окружности»
Электромагнитные поля (emfield):
- Merge magnetic.js + coulomb.js в один EMFieldSim с 3 режимами (E / B / комбинированное)
- Унифицированный pipeline: colormap, field lines, vectors, equipotentials, flux loop, test particle
- Combined-режим: полная сила Лоренца F=q(E+v×B)
- Backward compat: #coulomb и #magnetic хеши и ?sim= параметры редиректят в emfield
- Удалены: magnetic.js, coulomb.js. Добавлен: emfield.js
Бросок тела (projectile):
- Режим целей: 3 окна, hit-детекция, HUD «Цели: N/M / Попыток: K»
- Графики x(t), y(t), vx(t), vy(t) — 2×2 Canvas 2D, real-time
- Двойной бросок: одновременно 2 траектории для сравнения (cyan vs gold)
UI fixes (по результатам аудита):
- Заменены emoji/unicode на inline SVG .ic: switch ⌇, spring 〜 (5 мест), download ⬇ (2), camera 📷
- Убраны декоративные символы ☉ ○ из geometry tool labels
- Добавлены THEORY entries: geometry, hydrostatics (раньше показывали fallback)
- Стандартизирована ширина panel для sim-proj и sim-coll (240px)
- waves перенесён в физический блок SIMS catalog (был после биологии)
- Очищен дефолтный sim-topbar-title (был «График функции»)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Both features merged to master; status updated from In Progress to
Complete with merge-commit refs for traceability.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lab.html 4324L → 3499L (-825L). 824 lines of glue code moved.
Position preserved: lab-glue.js loads after lab-init.js, before
newton.js / forcesandbox.js / etc. — same execution order as inline.
node --check passes. /lab returns 200. /js/labs/lab-glue.js returns 200.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
lab.html 5180L → 4324L (-856L). All CSS moved to frontend/css/lab.css
(855L). Added <link> tag after ls.css for proper cascade.
Visual rendering unchanged — pure file move.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Local quality gate that runs on every git commit:
- node --check syntax on staged .js files
- block on new emoji in staged .js/.html/.css (md files allowed)
- block on new console.log/debug/debugger statements
- backend route auth lint (existing npm run lint:routes)
- backend tests (baseline 3 fails, block if grew)
Install: npm run hooks:install (top-level)
Bypass: git commit --no-verify
Skips slow checks when irrelevant files changed (tests/lint only run
if backend touched).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The feature_classroom_enabled flag was fully wired in backend
(classroom/sessions.js:11-14 returns 403 when '0', initialized in
legacy-migrate.js:870 to '1') but had no UI control — admin could
only flip it via direct SQL.
- adminController.updateFeatures: classroom was ALREADY in allowed list
- admin/sections/games.js: new toggle row with video icon added to GAME_FEATURES
- js/api.js hideDisabledFeatures: classroom path mapping added ('/classroom')
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3D rendering (toggle3D/render3D with VDW radii + sphere gradients) was
implemented but had no visible Esc-key exit and cursor was left in 'grab'
state when leaving 3D mode. Changes:
- Esc key now exits 3D mode (toggle3D) in addition to cancel/close actions
- cursor correctly resets to 'crosshair' on 3D exit and 'grab' on enter
- btn-3d toolbar button confirmed visible with mode-3d-active active state
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Avatar circles in top/worst-5 tables: initials from name, hsl color from hash of name
- Structural skeleton on first load: 4 shimmer card boxes + 5 row placeholders (replaces
LS.state.loading spinner for better layout-anchored feedback)
- @media ≤640px: 2-column main grid, hero card reverts to normal size, quick-grid 2-col
- Palette: existing per-card colors (violet/cyan/green/amber) already form a good muted
hue family with vivid pink/amber for alert cards — kept as is to avoid regression
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- registry.js: добавлен флаг requireConfirmOff для 7 критичных прав (questions.manage, classes.manage, library.upload, courses.manage, sessions.reset, theory.access, simulations.access); byRole() теперь возвращает это поле
- admin.html: subtitle в модале прав — «учителя» → «пользователя»; tooltip на кнопке «Сбросить всё по умолчанию»; поле поиска над сеткой прав; CSS .perm-modified-dot (amber, 8px)
- admin.js: badge «Инд.» → «Индивидуально» (font-size 11px); renderPermissions() рисует .perm-modified-dot когда значение отличается от registry default; togglePermission() показывает LS.confirm перед выключением критичных прав; window.filterPermissions() скрывает карточки и role-блоки по поисковому запросу
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Reset can downgrade effective access (override=1 vs role default=0),
so the user's JWT must be invalidated alongside the DELETE.
Wrapped in db.transaction for atomicity.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- backend/src/permissions/registry.js: single source of truth (PERMISSIONS map)
with all 24 keys (16 teacher + 8 student, student keys also cover free_student).
Exports isKnown(), listKeys(), byRole(), buildDefaultsMap().
- auth.js: PERM_DEFAULTS now sourced from registry.buildDefaultsMap();
new perm() helper validates key at registration time (crashes early on typos).
requirePermission() unchanged — backward compat preserved.
- permissionsController.js: ALL_PERMISSIONS now built from registry.byRole();
inline 24-entry array removed. API response shape unchanged.
- check-route-auth.js: validates every requirePermission/perm call key against
registry; lists unknown keys as errors before exit.
perm() added to GUARDS list so it counts as route protection.
Discrepancy noted: auth.js had free_student with same 8 keys as student;
permissionsController never seeded free_student rows. Registry documents
this via roles:[] array; buildDefaultsMap() correctly covers free_student.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds audit entries for:
- permission.set (role-level change)
- permission.user_set (per-user override)
- permission.user_reset (clear user override)
- feature.update (global feature flag toggle, per-key with old->new diff)
Old value captured for feature.update for full diff trail.
permissionsController: added audit import, wired audit() after each write.
adminController.updateFeatures: replaced bulk audit with per-key entries
capturing old value from app_settings before overwrite.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
setPermission / setUserPermission now bump token_version for affected
users so cached JWTs lose access immediately instead of after expiry.
Aligns with role-change pattern in adminController.updateRole.
Both writes wrapped in db.transaction() so token_version is only bumped
if the permission write itself succeeds.
Also cleaned up inline require('../db/db') calls to use top-level db.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Hardcoded inline <svg class="ic"> markers used as arrow replacements
(left over from emoji removal) were displayed as raw HTML text where
the consumer used textContent or canvas fillText:
- chemsandbox: csbar-v5 (Продукты cell) used textContent → SVG visible.
Switched to innerHTML for consistency with eq/ionNet cells.
Quiz question (qEl.textContent) and answer also receiving SVG —
cleaned via _csClean at source.
- reactions: modeTxt drawn via canvas fillText — replaced SVG with →.
- ionexchange: REACTIONS data + canvas labels — bulk SVG → Unicode arrows.
- newton: action button labels used textContent → switched to innerHTML;
canvas arrow labels: SVG → Unicode →/↓.
- collision: 'KE сохранена' canvas label — SVG checkmark → ✓.
- projectile: canvas badges + textContent wind label — SVG → Unicode ←/→/↩.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Security review caught: per-row hover actions (users.js) and async
user picker (shop.js, gam.js) interpolated user-controlled name into
JS string literals inside onclick. LS.esc() escapes & < > " but
NOT backslash; the .replace(/'/g, '\'') fallback was broken.
Attack: any authenticated user could set their name to
a\'); alert(1); //
via PATCH /api/auth/profile (stripTags doesn't strip \) — admin
viewing the users/shop/gam picker would execute arbitrary JS.
Fix: switch from JS-string interpolation to data-uid/data-name
attributes, read via dataset in handler. esc() correctly escapes
for HTML-attribute context; dataset returns the raw string with
zero parse re-entry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Now that the deep pages (sub-commit 1) work, retire the legacy
.user-panel inline overlay entirely.
* admin.html: removed <div class="user-panel" id="user-panel"> block
inside #tab-users, removed dead .user-panel* CSS (kept .btn-close
for any external use).
* users.js: removed openUserPanel / closeUserPanel / reloadUserPanel
and their closure state (activeTr, activeUserRole). User row onclick
switched from openUserPanel(...) → AdminRouter.navigate('#users/N').
clearUserHistory / toggleBanUser / confirmDeleteUser / openEditUserModal
/ openUserPermsModal / doSet/doReset* all refactored to use the
getActiveUid() helper (reads window.activeUid, set by user-detail.init)
+ reloadDetailAndList() helper (refreshes deep page + list together).
* sessions.js: row click + eye-button switched from toggleDrawer(id)
→ gotoSession(id) → AdminRouter.navigate('#sessions/N'). Removed
toggleDrawer + renderDrawer functions (~60L) and openDrawerId state.
Inline drawer markup removed from the row template.
Verified node --check on all touched JS. ast-index confirms zero
remaining usages of openUserPanel / closeUserPanel / reloadUserPanel /
toggleDrawer across the repo.
This completes Phase 6 and the admin-redesign feature.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add user-detail.js (~370L) and session-detail.js (~180L) section
modules that render full pages for #users/:id and #sessions/:id, plus
admin.js dispatch and HTML tab-panes. The legacy .user-panel overlay
is intentionally still in place — sub-commit 2 will remove it once the
deep pages are verified.
* admin.js: DEEP_ROUTES map + activateDeepPane(); activate(route, params)
signature; initial dispatch respects hash params (so F5 on #users/123
goes straight to the deep page).
* admin.html: new tab-panes #tab-user-detail / #tab-session-detail and
two script tags. Old #user-panel overlay untouched.
* user-detail.js: header (avatar/role/email/meta) + sub-tabs
(Обзор/Сессии/Классы/Audit) with URL-synced sub-tab routing
(#users/N/sessions etc). Overview: 4 stat cards + per-subject SVG
bar chart. Sessions: clickable rows that navigate to #sessions/N.
Classes: placeholder empty-state (no per-user classes endpoint).
Audit: client-side filter of /admin/audit-log by uid match. Header
action buttons (Изменить/Права/История/Бан/Удалить) call existing
overlay handlers; window.activeUid is set before opening any modal.
* session-detail.js: full header (user/subject/score/stats) + per-
question correctness layout reusing the drawer renderer. Delete
button uses LS.adminDeleteSession then navigates to #sessions.
Clicking the user name opens the user deep page.
* users.js: quickOpenUserSessions now navigates to
#users/<uid>/sessions instead of the bare #sessions list.
Verified node --check on all new/modified JS. baseline npm test still
shows pre-existing 3 auth failures unrelated to this change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2 review caught this: updateCharCounter was defined inside
questions.js IIFE but never exposed via window.X; admin.html:1672
calls it via oninput, would throw ReferenceError on every keypress.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Maxim Dolgolyov